Update SCIM_overview.mdx #627
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,7 +18,7 @@ SCIM streamlines and secures user account management by automating tasks such as | |
| - **Efficiency:** Manages increasing numbers of user accounts efficiently and handles provisioning and permissions without manual intervention. | ||
| - **Consistency:** Standardizes how user data is stored and communicated, ensuring information remains consistent across applications. | ||
| - **Error Reduction:** Minimizes the risk of mistakes from manual data entry or custom integrations. | ||
| - **Security:** Reduces risks by ensuring users don't need multiple passwords and keeps data synchronized, aiding in policy enforcement. | ||
|
|
||
| ### How SCIM Works | ||
|
|
||
|
|
@@ -27,3 +27,25 @@ SCIM operates over REST and JSON protocols, involving: | |
| - **Service Providers (SPs):** Applications such as Slack or Box that require user data from IdPs. | ||
|
|
||
| When changes occur in the IdP (e.g., user profiles created or updated), these changes are automatically synced to the SP, keeping user information up-to-date and providing seamless access to applications and resources. | ||
|
|
||
| ### Multi-tenant SCIM | ||
|
|
||
| The SCIM server supports a tenant-aware URL form so a single Permit environment can back multiple isolated customer tenants. Two URL shapes are supported: | ||
|
|
||
| - **Legacy (single-tenant):** `/scim/v2/{PROJ_ID}/{ENV_ID}/Users` and `/Groups`. All role assignments land in the `default` tenant. Existing integrations continue to work unchanged. | ||
| - **Tenant-aware:** `/scim/v2/{PROJ_ID}/{ENV_ID}/v2/{TENANT_ID}/Users` and `/Groups`. The `TENANT_ID` segment is required — there is no tenant-less `/v2/Users`. SCIM clients (Okta, Entra) bake the tenant into their endpoint configuration, so each tenant points its IdP at its own URL. | ||
|
Contributor
There was a problem hiding this comment. Addressed in beeaa37 — resource endpoints are now listed on their own bullet (
Contributor
There was a problem hiding this comment. Addressed in beeaa37 —
Contributor
There was a problem hiding this comment. Addressed in beeaa37 — added a |
||
|
|
||
| `TENANT_ID` must match `[A-Za-z0-9_-]{1,64}` (1–64 chars: alphanumerics, underscore, hyphen). Invalid values return a 404 at the routing layer before any handler runs. | ||
|
|
||
| #### How users, groups, and tenants relate | ||
|
|
||
| - **Users are environment-scoped.** A SCIM User created via any tenant URL is provisioned once in the Permit environment. The `TENANT_ID` segment is accepted in the URL but does not partition users — `userName` remains globally unique within the environment. | ||
| - **Groups (roles) are environment-scoped definitions.** A Group with `displayName: "Engineering"` resolves to a single role in the environment. If two tenants both create a Group with the same `displayName`, they share the same underlying role definition; the second `POST /Groups` reuses the existing role rather than failing. | ||
| - **Group membership (role assignment) is tenant-scoped.** Adding a user to a Group via `/v2/{TENANT_ID}/Groups/...` grants that user the role *within that tenant*. The same user can hold the `Engineering` role in tenant `acme` and not in tenant `globex`. Membership in one tenant has no effect on membership in another. | ||
|
|
||
| This matches Permit's data model: roles are defined per environment, and assignments carry a tenant. It avoids duplicating role definitions per tenant while keeping each tenant's user-to-role bindings fully independent. | ||
|
|
||
| #### Choosing between the two URLs | ||
|
|
||
| - Use the **legacy URL** for existing single-tenant integrations or when all users share one logical tenant. | ||
| - Use the **tenant-aware URL** when one Permit environment serves multiple customers and each must have its own isolated set of role assignments. Provision one SCIM connection per tenant in your IdP, each pointing at its own `/v2/{TENANT_ID}/...` endpoint. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in beeaa37 — the bullets now lead with a base URL ending at
.../{permit_env_id}(legacy) or.../{tenant_id}(tenant-aware), with a leading sentence noting the SCIM client appends the resource path. Matches the convention inOKTA.mdx:36andEntraID.mdx:55.